Hello,
my hardware has only one ethernet port. Is it save to use the same ethernet cable for LAN and WAN, when WAN is via PPPoE with VLAN tag 7 and LAN is untagged? On the other side the VLAN gets separated by a managed switch, so LAN goes to the rest of the intranet and VLAN 7 goes to the modem. Could an attacker from the WAN side be sniffing packets from the LAN?
Thanks for any hints.
Yes, it is possible to do this using VLANs. But you should tag the LAN, too. Mixing tagged and untagged frames on the same interface isn't recommended on OPNsense.
There should be no security impact as long as the switch is configured correctly.
Cheers
Maurice
Thanks Maurice. I did a first test with tcpdump in a simple demo setup and two switches. Seems to be okay. Will test it with real traffic. I wish, I could have done it all within the gateway router, a Fritzbox. One could connect its WAN directly to its LAN and connect that to a managed switch. But no info anywhere about the internal VLAN handling of a Fritzbox.